EdSecLedger
Breach Analysis5 min read

Trocaire College Breach Exposes SSNs and Passport Numbers

Analysis of the Trocaire College data breach where attackers accessed SSNs, driver's licenses, and passport numbers affecting 23,436 individuals over a two-day intrusion in March 2025.

By EdSecLedger
Records: 23,436
Vector: unauthorized access
Status: confirmed
Occurred: Mar 12, 2025Discovered: Mar 13, 2025Disclosed: Jan 28, 2026
Exposed:NamesSSNdrivers_licensepassport
Sources:Maine Attorney General

Trocaire College, a small private institution in Buffalo, New York, disclosed a data breach affecting 23,436 individuals after attackers accessed files containing Social Security numbers, driver's license numbers, and passport numbers. The breach occurred over a two-day window in March 2025, but affected individuals weren't notified until January 2026 — a ten-month gap that raises serious questions about the institution's incident response process.

The Maine Attorney General's filing shows the notification was submitted on January 28, 2026, with letters mailed to affected individuals on January 16. For a college that enrolled roughly 1,000 students at its peak, the 23,436 affected individuals suggest years of accumulated records were in the compromised files — including alumni, former employees, and applicants.

A Two-Day Window, Ten Months to Notify

The intrusion timeline was brief. Attackers accessed Trocaire's systems between March 12 and March 13, 2025. The college detected unusual network activity on March 13 and engaged cybersecurity experts to investigate.

What followed was a painfully slow process. The forensic investigation confirmed that files "may have been acquired without authorization" during that two-day window. Trocaire then launched a review of the affected data to identify individuals and their contact information. That review didn't conclude until December 4, 2025 — nine months after the breach itself.

Notification letters went out on January 16, 2026, more than ten months after the attackers were in the network. While complex data reviews do take time — matching unstructured file contents to individual identities is labor-intensive — ten months tests the limits of what regulators and affected individuals consider reasonable.

High-Value Data at Risk

The types of data compromised make this breach particularly concerning. The notification confirms exposure of:

  • Social Security numbers — the single most valuable piece of data for identity theft
  • Driver's license or state identification numbers — used for synthetic identity creation
  • Passport numbers — enables international identity fraud

This combination of government-issued identifiers creates serious long-term risk for affected individuals. Unlike credit card numbers that can be reissued, SSNs and passport numbers are permanent identifiers. For students and alumni who may be early in their credit history, the exposure of SSNs is especially dangerous — thin credit files are easier to exploit for fraudulent account opening.

Trocaire is offering 12 months of IDX credit and CyberScan monitoring with a $1,000,000 insurance reimbursement policy. Given that the data includes passport numbers, affected individuals may also want to contact the U.S. Department of State about flagging their passport for potential misuse.

Small College, Large Impact

Trocaire is a small private Catholic college that has faced enrollment and financial challenges in recent years. With a campus at 360 Choate Avenue in Buffalo, the institution historically served healthcare-focused programs including nursing and health information management.

The 23,436 affected individuals far exceeds the college's current enrollment, indicating the compromised files contained historical records — likely spanning years or decades of students, employees, and applicants. This is a common pattern at educational institutions, which tend to retain records far longer than necessary. FERPA requires institutions to maintain education records but doesn't mandate indefinite retention of associated PII like SSNs and passport numbers.

The breach at Trocaire mirrors a broader vulnerability across small colleges. Unlike large universities with dedicated security operations centers, small institutions often rely on a handful of IT staff who manage everything from email to network security. The EDUCAUSE 2024 Top 10 IT Issues report identified cybersecurity as the number one concern for higher education IT leaders, yet budgets at small institutions rarely match the risk.

Regulatory Exposure

As a New York institution, Trocaire operates under some of the country's strictest data protection requirements. New York's SHIELD Act (Stop Hacks and Improve Electronic Data Security) requires businesses and organizations holding New York residents' private information to implement reasonable safeguards. The Act also expanded the definition of a breach and shortened notification timelines.

Under FERPA, Trocaire has obligations regarding the protection of student education records. If the compromised files included academic transcripts, enrollment records, or financial aid data alongside the SSNs and passport numbers, the Department of Education's Privacy Technical Assistance Center (PTAC) may become involved.

Other education institutions disclosed breaches around the same time. Portland Public Schools reported 12,128 records compromised in January 2026, while Clackamas Community College disclosed a breach affecting 33,381 individuals. The pattern of education institutions filing clusters of notifications in early 2026 for incidents that occurred throughout 2025 suggests many are still working through their breach response backlog from last year.

Action Items for Higher Education Institutions

  1. Audit your data retention practices. If Trocaire had purged SSNs and passport numbers for individuals no longer affiliated with the institution, the blast radius would have been a fraction of 23,436. Implement data minimization policies that align with FERPA's actual requirements rather than blanket retention.

  2. Passport numbers should almost never be stored. Review whether your institution collects and retains passport data. International student offices may collect this for I-20 processing, but it should be purged from general file systems after the specific need has passed.

  3. Small colleges need managed security services. If you can't afford a full-time security team, engage a managed detection and response (MDR) provider. The cost of a year of MDR service is a fraction of the breach response, credit monitoring, and legal fees Trocaire is now incurring.

  4. Test your incident response timeline. Ten months from breach to notification is too long. Run tabletop exercises that include the data review phase — this is often the bottleneck that extends notification timelines well beyond what regulators expect.

  5. Review your cyber insurance policy. Small colleges are increasingly being denied coverage or facing premium increases. Ensure your policy covers the forensic investigation, notification costs, and credit monitoring that a breach demands.

Tags:breachcollegeunauthorized_accessnew_yorkssnpassport

Related Analysis

Fort Scott Community College Breach Compromises SSNs and Financial Data
5 min read
Clackamas Community College Breach Hits 33,000 After Dual Intrusion
5 min read
Portland Public Schools Breach Exposes 12,000 Students and Staff
5 min read